FIDO2 Security Keys: FAQ

FIDO2 Keys - Universal Guide FAQ - FIDO2 Security Keys FAQ - Office365/ Azure AD (Microsoft Entra ID) MFA

---

What are FIDO2 Security Keys?

FIDO2 Security Keys are small, physical devices that provide strong, hardware-based authentication. They replace or supplement traditional passwords, making your online accounts much more secure.

Why Should I Use a FIDO2 Security Key?

• Enhanced Security: They are highly resistant to phishing and man-in-the-middle attacks.
• Ease of Use: Simple setup and usage process.
• Broad Compatibility: Compatible with many major services and platforms.
  
  

Why are Token2 keys more secure than competitors?

Token2 keys provide enhanced security features compared to many competitors. PIN complexity is an example of such feature. They are built with advanced cryptographic hardware, ensuring strong protection against phishing, man-in-the-middle attacks, and credential theft.

Additionally, Token2 keys go through independent security assessments and comply with the latest FIDO2 standards. The use of trusted open-source algorithms and thorough quality control in Token2’s manufacturing process ensures the integrity of the keys. Combined with strong hardware-based security and independent certifications, Token2 keys provide a more reliable solution for protecting your online accounts.

What Do I Need to Start Using a FIDO2 Security Key?

You don’t need any special tools to start using a FIDO2 security key. Most operating systems and modern web browsers support them out of the box.

Which Operating Systems and Browsers Support FIDO2 Security Keys?

• Operating Systems: Windows, macOS, Linux¹, Android², iOS
• Browsers: Chrome, Firefox, Edge, Safari
  
  

¹ - USB support is fully available with Linux. However, using NFC transport may be unstable depending on the distro and NFC reader used.
² - USB support is fully available with the latest Android. However, using NFC transport is not supported if the key is PIN-protected (as of Sept 2024).

More information about Operating Systems and Browsers support is available on this page.

How Do I Set Up My FIDO2 Security Key?

For PC/Laptop

1. Insert the Key: Plug the FIDO2 key into your computer’s USB port (USB-A or USB-C).
2. Go to Account Security Settings: Open the security settings of the service you want to secure (e.g., Google, Microsoft, Facebook).
3. Add a Security Key: Find the option to add a security key under two-factor authentication (2FA), Passkeys or security settings.
4. Follow Prompts: The website will guide you through the process, usually involving touching the key’s button to confirm your identity.
5. Backup Methods: Set up a backup method : another FIDO2 key (recommended), an authenticator app, or recovery codes.

For Mobile Devices

1. Connect via USB-C or NFC: Depending on your key’s compatibility and your phone’s capabilities.
2. Access Security Settings: Go to the security settings of the app/service you want to secure.
3. Add Security Key: Find the option to add a security key in the 2FA settings.
4. Follow Instructions: Follow the app’s instructions to register the key.
   

You can refer to this page for a universal guide about enrolling and using FIDO keys. Detailed step-by-step guides for certain services are available on our website.

How Do I Use My FIDO2 Security Key?

1. Logging In: Insert the key into your device or use NFC.
2. Authentication: Touch the key’s button when prompted.
3. Access Granted: You’re now securely logged in.
   
   

What If I Lose My FIDO2 Security Key?

• Backup Methods: Use your backup methods (another security key, authenticator app, or recovery codes) to regain access.
• Account Settings: Remove the lost key from your account settings immediately.
  
  
  

Do I Need Any Tools for Advanced Operations?

For advanced operations like passkey management, you may need specific tools or software. Tools like FIDO2.1 Manager (open-source), Chrome Security Key management and similar can help manage your keys and credentials.

How Can I Manage Multiple FIDO2 Security Keys?

• Multiple Keys: Keep more than one key registered to your accounts for backup.
• Label Your Keys: Label your keys to differentiate them.
• Periodic Review: Regularly review your security settings to ensure all keys are up to date and properly configured. Compare the list of accounts/services enrolled with your primary and backup keys.

What Should I Do If My Key is Not Recognized?

• Check Connection: Ensure the key is properly inserted and the device supports the key’s connection type (USB, NFC).
• Device Compatibility: Verify that your device and browser support FIDO2 keys.
• Software Updates: Ensure your device and browser are updated to the latest versions.

Are There Any Limitations to Using FIDO2 Security Keys?

• Service Support: Not all online services support FIDO2 keys yet, although support is growing.
• Physical Access: You need physical access to your key to log in, so always have it handy.

What is Entra ID Passwordless with FIDO2 and is it MFA?

Entra ID (formerly Azure Active Directory, AAD) Passwordless authentication allows users to sign in without using a password. This method is considered Multi-Factor Authentication (MFA) because it combines at least two forms of authentication factors:

• Possession Factor: Something you have (e.g., your FIDO2 security key).
• Inherence Factor: Something you are (e.g., biometric verification like a fingerprint).

By eliminating passwords and using stronger authentication factors, Entra ID Passwordless significantly enhances security and user experience.

Why am I required to enter my PIN in some cases, while in others it works without a PIN?

It depends on how the authentication server deals with user verification - there are 3 different modes:

1) Always ask for a PIN (verification required).

2) Ask for a PIN if a PIN is set on the security key (verification preferred).

3) Never ask for a PIN (verification discouraged).

 These settings are usually fixed on the server-side and not selectable by end users (we made it available for our demo only). However, this can be enforced at the security key's firmware level as well if needed. You can read more about user verification settings here.

Why do some websites create a passkey on my FIDO2 key, while others don’t?

Some websites create a passkey (also known as a resident or discoverable credential) on your FIDO2 key, while others don’t, depending on how the site implements the FIDO2 standard. Websites that support WebAuthn can store passkeys directly on the FIDO2 key, allowing you to log in passwordlessly by simply using the key. These credentials are stored securely on the key and can be used without needing additional login information like a username or password.

However, some websites only support FIDO2 as a second factor, requiring a password first and then using the FIDO2 key as a second layer of security (non-resident credentials). In these cases, no passkey is created, and you’ll need both the password and the key to authenticate.